Slashdot Mirror
Attack Code Found For Recent Windows Bug
CWmike writes "Just a day after downplaying the vulnerability that caused it to issue an out-of-cycle patch last week, Microsoft warned customers late yesterday that exploit code had gone public and was being used in additional attacks. 'We've identified the public availability of exploit code that now shows code execution for the vulnerability addressed by MS08-067,' said Mike Reavey, operations manager of Microsoft's Security Response Center, in a post to the MSRC blog. 'This exploit code has been shown to result in remote code execution on Windows Server 2003, Windows XP, and Windows 2000.'"
Lets see, perpetually vulnerable-to-script-kiddies Windows XP, or locks-up-every-5-seconds Ubuntu?
Time to set Windows to automatically reboot my computer without my permission.
So... this horrible deadly plague of terror only affects the products that microsoft is trying desperately to grandfather?
Huh... Imagine that.
For those interested, there was a really cool hack of hotpatching the files and services that are affected by this exploit. The Microsoft patch isn't designed to be hotpatched, instead requiring a reboot to replace the needed files. However, by using a binary diff and DLL injection you can apply the patch on the fly without rebooting.
I wish Microsoft would put more effort into making the official patches not require a reboot. Consumer operating systems are one thing, but rebooting Windows servers gets annoying really fast.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
Slashdot's unbiased coverage of an exploit for a patch that was released last week has finally convinced me to stop using MS products. I'm also beginning to think this MS might be evil as well.
Just in case the /. entry seemed as ambiguous to you as it did to me, the linked article states "Our investigation has shown that it does not affect customers who have installed the update."
If anyone's interested.
http://milw0rm.com/sploits/2008-MS08-067.rar
Windows Rocks!
And, you'd [i]have[/i] to be pissed to think like me....
This is added incentive to complete YOUR testing of this patch ASAP.
Remember, only incompetent admins apply patches without testing them.
In our environment, the patch would have been put into testing the day after it was released (no sense getting caught by a brown paper bag bug) and then into production NEXT Sunday.
With a known exploit out there, we'd be getting more people to test the test systems TODAY. With the goal of putting the patch into production TOMORROW evening.
This is like a droning gong.
*Gong* Bring out your dead *Gong* Windows is insecure *Gong* Bring out your dead *Gong*
It seems to me there is a fatigue that sets in regarding unpleasant information. How many times does one have to hear a thing, especially an unpleasant thing they don't want to hear, before that person stop listening to it? This happens to me at least. We see this (as a parallel) in politics all the time, when we're told this guy or that person broke the law. Its like a background din you have to tune out to get through the day.
It's made worse because there is no solution.
For the user of windows, there is nothing they can do about the fundamental insecurity that leads to repeated, consistent, and regular security updates like this. The only option is to change OS, which if you're the average computer user, that is not an option without significant expense. It's unpleasant to hear that crackers are breaking into computers and turning them into zombie swarms of attacking botnets. Hear the same bad thing enough times, eventually people stop listening.
I was fortunate: my windows laptop was stolen in 2004 and I made the switch, and now use Mac and Linux now exclusively. Not that Mac is any panacea - I still can't stand Finder, I think it is awful, and curse it every time I need to move a few files to some other folder on another drive (usually I just use "mv"). BUT at least I'm not forced to start ignoring serious security threats that I can't prevent or address effectively. (I don't consider a long series of "After the crack" patches effectively addressing the problem)
I'll give them credit for patching this quickly. This could have been Yet Another Windows Worm (TM) that brings all legitimate network traffic to a halt. And us Slashdotters have been after them for years for taking too long to patch things, so it would be completely hypocritical to get pissed at them for doing what we'd want them to do.
I'll hate them for having the exploit possible in the first place, I'll hate them for requiring reboots, I'll hate them for forcing crappy software down our throats, but every once in a while they do something right.
I am officially gone from
Instead they issued an out-of-cycle patch and they gave it a very high severity rating in their bulletins. None of us are Microsoft lovers. But you don't have to lie to us just to be able to pat us on the back. It's disgusting, please stop it.
.
How does this translate into downplaying the threat?
October 23, 2008 (IDG News Service) Microsoft Corp. fixed a critical bug in its Windows operating system Thursday, saying that it is being exploited by online criminals and could eventually be used in a widespread "worm" attack.
Microsoft took the unusual step of issuing an emergency patch for the flaw several weeks ahead of its regularly scheduled November security updates, saying that vulnerability is being exploited in "limited targeted attacks." The company had already announced plans to rush out the patch.
"It is possible that this vulnerability could be used in the crafting of a wormable exploit. If successfully exploited, an attacker could then install programs or view, change, or delete data; or create new accounts with full user rights," Microsoft said in a bulletin released Thursday morning. Microsoft releases emergency Windows patch to head off worm attack {Oct 23]
New Windows bug differs from 2006 flaw, Microsoft says [Oct 27]
You are an idiot. 5 9s gives you just 5 minutes per year of downtime. You think if something fails in a system, you can get it back up in 5 minutes? Hell no. You want reliability like that, you do it with redundant systems. Well, in that case the individual units can certainly go down. Perfectly valid strategy. You patch them whenever you feel like, making sure that only one is down at a time and that it comes back up to full operational status before you do the next one.
A single system, well you are just rolling the dice. Sure I've seen single systems go for over a year, no crashes, no hardware faults. I've also seen plenty that have gone down. When a problem does occur, it isn't something that gets fixed in 5 minutes, or even usually in an hour (4 9s requires no more than 53 minutes down).
In addition to that you also have to keep the idea of planned and unplanned outages separate. While in some cases, no outage is acceptable and thus the system needs to designed to never be down, often an outage is fine, so long as it's planned. So you can take a system down every week and still have a perfect rating because you had no unplanned outages. The system was only down at specified times. That works just fine for non-critical systems in many cases.
However if it is critical, and if it really can't ever be out at all, ever, which is more or less what 5 9s implies, then you need to have redundancy, and have it at every level. You can't have any single points of failure because the chances that you get that point fixed in time is very slim.
So no reboot on patch isn't useful for that, because in a system with that high an availability, well it has to be redundant anyhow. More important that the patch applies properly and works (which is why you do the reboot, to eliminate potential conflicts) than that you can do it on a running system. After all, you take one part down for a couple minutes as you patch and verify, that's great your uptime is unaffected. You instead apply a hot patch to all systems, which then causes them all to crash an hour later, you are screwed because you are down.
Be warned; this is already on metasploit. The intrepid can find this for themselves...
Testing it to see if it actually works though.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
If only the writers of malicious programs dropped their Windows XP support when Microsoft does... What are my options when dark day comes?
From milw0rm here
-metric
Umm, use a firewall to block windows RPC/SMB; if you have these services exposed to the public internet you deserve what you get.
I can't figure out WHY I was modded-down as "TROLL" when I am just teling how to fix this, even WITHOUT a patch (just stall the server service, if you are a single machine using "standalone" connected to the internet - of the 3 methods for protection vs. this exploit, I feel it is the easiest AND most effective overall (for security AND performance in fact, both))...
What's the matter, Pro-*NIX'ers? Can't stand the fact that even without a patch put into place, this is easily resolved for Windows users??
(I ask that, because I cannnot think of any other reason OR group of people doing that (except the "Pro-*NIX" crew here, @ /., lol!))
Hey, fact is?
Just doing ANY (preferably ALL) of what I wrote in my last post you modded down, really OUGHT to be enough to stop this from even harming anyone, EVEN WITHOUT APPLYING SAID PATCH (but, do apply it anyways)
Thus? A websurfer on a single "standalone" (using that term loosely here) online on the internet is easily secured & made invulnerable vs. this exploit, afaik!
(Via 3 separately easily issued commands (either graphically, or via commandline/terminal usage/DOS Prompt usage (or, via batch @ EVERY bootup for instance)))
NOW, please - If I am technically incorrect on ANY of my points above, & I even noted them here when this first surfaced a week++ ago:
----
Microsoft to Issue Emergency Patch For File-Sharing Hole:
http://tech.slashdot.org/comments.pl?sid=1005777&cid=25487197
(I wrote the same there as well, as I did in my last post I am replying to myself here, because of this imo totally unjustified mod-down, & in the URL link above there was no "mod-down" either... least of all, for "troll"...)
----
DO please correct me where I am technically incorrect, please do, if I am...
However, don't just "mod me down" as "Troll" when I haven't 'trolled' anything, & only told some simple methods a user can be safe vs. this attack afaik!
(Again, without even patching their OS (& saving CPU cycles, memory, & various forms of I/O too, by stalling services you may not require, &/or Protcols + Network Clients broadcast as well... making you work a little bit faster too, as a bonus!))
APK
P.S.=> If you're going to down-mod me, @ least do it for valid reasons & say why, on a valid technical basis @ least, in other words... apk
APK
Remember, only incompetent admins apply patches without testing them.
In our environment, the patch would have been put into testing the day after it was released (no sense getting caught by a brown paper bag bug) and then into production NEXT Sunday.
Your strategy fails to deal with certain 0-day scenarios. Not that competent admin would actually run critical services on Windows.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Seriously, this is only really gonna be a problem to someone connecting on dialup and it's gonna take so fucking long to send the information that the person running the exploit is most likely to have died from old age before they get anything worth a toss.
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
Depending on what sort of software is running on those servers, and what those companies allow you to do, you could do _some_ testing with vmware server.
:).
Stuff like vmware server is free. Download it and install it.
Create a windows guest with the required virtual hardware.
Install the cheapest licensed Windows SBS on it.
Make copies for testing different software configurations and scenarios.
The courts in my country are unlikely to smack me down as long as I don't run them all at the same time, but your country might be different so consult your lawyer
If just a single Windows SBS license costs too much money, you might be able to get away with something like Windows XP just to test the Microsoft Windows Update cycle for any "obvious problems".
Would be strange that you can't afford the USD600+ (inclusive of the 2 x 500GB drives for storing all those vmware images), if you're doing this as a business. Maybe you should bill those companies a bit more.
I'm assuming you have your own PC, and are not some person stuck with using library/cybercafe computers (in which case installing vmware server is out).
You'll still need a windows client of course, but you can also use that windows client in vmware server for testing various client configs as well.
BTW there are free linux distros that you can run vmware server on. So you spend money on 1 x windows client, 1 x windows server and 2 x 500GB (or even 1TB) hard drives.
He's slackin' off...
Get the real Nelson in here
As Windows 2000 is affected by this vulnerability, I'm wondering if NT4 is as well. There's a still a sprinkle of NT4 servers about hidden in the back of server rooms. Will this be the push to finally replace them?
No, I've managed to have a single Linux box reach 99.999%
"Managed to have"? You are talking about 5 9's as something that you can reach. People who demand 5 9's consider that the minimum they will accept. They don't want systems that can reach 5 9's they want systems guaranteed not to be less than 5 9's. That's a HUGE difference.
I have 9 nines on my desktop and, here's the kicker, my laptop. I offer the same SLA to clients willing to pay for it. How do I manage it?
1) Don't buy crappy hardware, and stress the stuff you do buy before putting it into production.
2) Run a decent OS. Fanboys pick your fav.
3) Don't patch anything you don't need to. Port 139 is vulnerable but you don't need it? Just block it.
Adhere to the terms of the SLA. This is key, define the SLA to support 99.9999999% such that reboots are not included. Ta dah!
It's all quite simple really.
I'm sorry... downplayed?
Is there any admin in the world that didn't get the message that this was kinda sorta urgent?
This was the first time in four (?) years that Microsoft went out-of-cycle on their patches. That alone got attention, and would hardly be considered "downplayed".
Every stinkin' newsletter I got last week all mentioned it. Vendors mentioned it. Slashdot mentioned it a dozen times. And Microsoft sent out many many bullitens.
What would it take to satisfy the submitter's requirements for sufficient attention? CDs mailed out via FedEx Next Day to every registered owner of Windows?
Perhaps the real downplaying is what Slashdot tends to do whenever a Linux-releated bug is found.
-David
The majority of them, that is, you know, the ones with 400+ days of uptime.
I saw all the fuss last week about this, so I went ahead and read the MS release. My reaction: "meh". Yes, we're running windows. About 100 desktops and 13 servers. No, we don't patch everything at the drop of a hat.
This patch will be rolled out here in 2-3 months, along with a bunch of other MS patches. Do we test everything thoroughly? No, that would be far too much time and effort. We wait a few months so that everybody else can do the bulk of the testing for us, then internally we simply roll patches out to IT first for a couple of weeks, then send them to the rest of the company. Sometimes we'll go 6-12 months between patches.
Do I worry about Viruses? Yes, I'm constantly aware of them, and I read most of the MS security bulletins, but it's not something that keeps me awake at night. In the last 2 years I've seen just one bug that actually had a chance of infecting our machines. Good firewall and e-mail security, and locked down workstations are a far better solution than patching all the time.
Most people don't seem to realise that it's actually pretty easy to secure windows, and to do so with minimal disruption. 99% of our users don't even know what we do. For the rest, the extra security adds a few minutes delay from time to time.
Talk about being let down...I thought they were going to post the actual code for the exploit...this would have been great news for some of us....I am trying to apply this exploit to show my admin we REALLY need those patches, although no one seems to care....anyone have links or code they could share???
http://tech.slashdot.org/comments.pl?sid=1010923&cid=25549351
Thanks for the "mod-up", whoever did so...
As I stated in my reply earlier (prior to this one I am replying to?
I was wondering WHY I was "modded down" as a "troll" - no justification was given origially!
(Troll - for whatever that means, it can't be good imo)
I could NOT see how/why I was downrated, when my init. post here shows anyone who isn't part of a LAN/WAN @ work, or home, can be safe vs. this explot, merely by stopping the server service (which you do NOT need to be online, & by stopping it, you are safer (even MINUS this patch by MS) but, you also save CPU/Memory/various forms of I/O on as well by doing so, thus, performing better (@ least potentially, depending on what it is you do daily on your machine)
It's my 2nd one actually that did so, my post prior to this one shows where I posted this speed & security gain here ORIGINALLY on this website, when it surfaced more than a week before this latest news on it no less & how to stop it being a threat (even prior to any patch issuing from MS)
----
Microsoft to Issue Emergency Patch For File-Sharing Hole:
http://tech.slashdot.org/comments.pl?sid=1005777&cid=25487197
----
AND, yes, it works (for better security, & as a bonus for those NOT part of a LAN/WAN or even small home network setup? More speed results by not wasting CPU cycles/Memory/& other forms of I/O running a service you probably do NOT need @ all with a single machine online on the internet)...
APK
P.S.=> Again - thanks (@ times? Slashdot's folks aren't bad @ all... you've "restored my faith" in humanity, & this site, lol!)... apk
So much for your average Vista hatred. Vista is a more secure system.
If you start to lose an argument based in 'nuh uh, yeah huh' then immediately question the person's choice of > VI> verses [small]emacs[/small].
vi is [[13~^[[15~^[[15~^[[19~^[[18~^ a muk[^[[29~^[[34~^[[26~^[[32~^ch better editor than this emacs. I know I^[[14~'ll get flamed for this but the truth has to be said. ^[[D^[[D^[[D^[[D ^[[D^[^[[D^[[D^[[B^ exit ^X^C quit :x :wq dang it :w:w:w :x ^C^C^Z^D
it's hard to put into words. I grab a folder or a file and start moving to where I want it and 3 things happen: 2 bad, one good. bad1 is windows start opening to areas I don't want while I'm dragging. bad2 is I end up dropping the file where I think it is the right place, but it is in the folder above where I want. the good result is the stuff is moved where I want, which is about 40% of attempts. I finally got to the point where I don't use finder to move files - it fails so often.